A system for private networking within a virtual infrastructure is presented. The system includes a virtual machine (VM) in a first host, the VM being associated with a first virtual network interface card (VNIC), a second VM in a second host, the second VM being associated with a second VNIC, the first and second VNICs being members of a fenced group of computers that have exclusive direct access to a private virtual network, wherein VNICs outside the fenced group do not have direct access to packets on the private virtual network, a filter in the first host that encapsulates a packet sent on the private virtual network from the first VNIC, the encapsulation adding to the packet a new header and a fence identifier for the fenced group, and a second filter in the second host that de-encapsulates the packet to extract the new header and the fence identifier.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method of defining overlay-network encapsulation headers to establish a particular private virtual network (PVN) over a shared physical network, the method comprising: at a filter executing on a first host computer: receiving a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer, the first and second machines being members of the particular PVN which also includes a plurality of other machines; generating, for the packet, an overlay-network encapsulation header that allows the packet to be forwarded on the particular PVN to the second machine; storing, in the generated encapsulation header, an identifier that identifies the particular PVN, said particular PVN identifier stored in the encapsulation header to ensure that only machines that are members of the particular PVN have access to the messages sent along the shared physical network, the particular PVN identifier allowing multiple PVNs to be defined on the shared physical network for multiple different sets of machines; and encapsulating the packet with the encapsulating header and forwarding the encapsulated packet to the second machine over the physical network.
2. The method of claim 1 , wherein the first machine is a first virtual machine (VM) executing on the first host computer, and the second machine is a second VM executing on the second host computer.
3. The method of claim 2 , wherein each VM has an associated virtual network interface card (VNIC), and the filter is associated with a VNIC of the first VM.
4. The method of claim 2 , wherein the filter is a module that executes on the first host computer outside of the first VM and that processes packets sent by the first VM.
5. The method of claim 2 , wherein receiving the packet sent by the first machine comprises obtaining the packet as the packet passes along an egress data path from the first VM to a physical network interface card (PNIC) of the first host computer.
6. The method of claim 5 , wherein the packet is obtained before the packet is processed by a software switch executing on the first host computer, forwarding the encapsulated packet to the second VM comprises sending the packet to the software switch for forwarding to the PNIC to send the encapsulated packet to the physical network, and the physical network forwarding the encapsulated packet to the second host computer, which removes the encapsulated overlay-network header, uses a destination address in an original header of the packet to identify the second VM, and passes the packet to the second VM.
7. The method of claim 1 , wherein the filter comprises a bridge table that stores addresses of destination hosts where machines of the particular PVN execute.
8. The method of claim 1 further comprising: when the size of the encapsulated packet exceeds the maximum-transmission unit (MTU) for the network, fragmenting the packet into at least two packets and encapsulating each of the two packets with an overlay encapsulation header before sending the encapsulated packets over the physical network.
9. The method of claim 8 , wherein encapsulating the packet with an overlay-network encapsulation header further comprises encapsulating the packet with (i) a 2-bit field to indicate whether the packet has been fragmented and (ii) a fragment sequence number that indicates which fragment number corresponds to the packet.
10. The method of claim 9 , wherein the filter executing on the first host computer is a first filter, and a second filter executing on the second host computer (i) receives each of the two packets, (ii) identifies each of the two packets as fragments based on the 2-bit field and fragment sequence number found in the encapsulation headers of each of the two packets, and (iii) combines the fragments to reconstruct the original encapsulated packet.
11. The method of claim 1 , wherein the filter executing on the first host computer is a first filter, and a second filter executes on the second host computer and with the first filter forms a distributed virtual filter that adds and removes encapsulating headers with the particular PVN identifier to allow the first and second machines to exchange packets associated with the particular PVN.
12. A non-transitory machine readable medium storing a filter for defining overlay-network encapsulation headers to establish a particular private virtual network (PVN) over a shared physical network, the filter for execution by at least one hardware processing unit of a first host computer, the filter comprising sets of instructions for: receiving a packet sent by a first machine executing on the first host computer, the packet addressed to a second machine executing on a second host computer, the first and second machines being members of the particular PVN which also includes a plurality of other machines; generating, for the packet, an overlay-network encapsulation header that allows the packet to be forwarded on the particular PVN to the second machine; storing, in the generated encapsulation header, an identifier that identifies the particular PVN, said particular PVN identifier stored in the encapsulation header to ensure that only machines that are members of the particular PVN have access to the messages sent along the shared physical network, the particular PVN identifier allowing multiple PVNs to be defined on the shared physical network for multiple different sets of machines; and encapsulating the packet with the encapsulation header and forwarding the encapsulated packet to the second machine over the physical network.
13. The non-transitory machine readable medium of claim 12 , wherein the first machine is a first virtual machine (VM) executing on the first host computer, and the second machine is a second VM executing on the second host computer.
14. The non-transitory machine readable medium of claim 13 , wherein each VM has an associated virtual network interface card (VNIC), and the filter is associated with a VNIC of the first VM.
15. The non-transitory machine readable medium of claim 13 , wherein the filter is a program that executes on the first host computer outside of the first VM and that processes packets sent by the first VM.
16. The non-transitory machine readable medium of claim 13 , wherein the set of instructions for receiving the packet sent by the first machine comprises a set of instructions for obtaining the packet as the packet passes along an egress data path from the first VM to a physical network interface card (PNIC) of the first host computer.
17. The non-transitory machine readable medium of claim 16 , wherein the packet is obtained before the packet is processed by a software switch executing on the first host computer, the set of instructions for forwarding the encapsulated packet to the second VM comprises a set of instructions for sending the packet to the software switch for forwarding to the PNIC to send the encapsulated packet to the physical network, and the physical network forwarding the encapsulated packet to the second host computer, which removes the encapsulated overlay-network header, uses a destination address in an original header of the packet to identify the second VM, and passes the packet to the second VM.
18. The non-transitory machine readable medium of claim 12 , wherein the filter uses a bridge table that stores addresses of destination hosts where machines of the particular PVN execute.
19. The non-transitory machine readable medium of claim 12 , wherein the sets of instructions are further for: fragmenting the packet into at least two packets when the size of the encapsulated packet exceeds the maximum-transmission unit (MTU) for the network, and encapsulating each of the two packets with an overlay encapsulation header before sending the encapsulated packets over the physical network.
20. The non-transitory machine readable medium of claim 19 , wherein the set of instructions for encapsulating the packet with an overlay-network encapsulation header further comprises a set of instructions for encapsulating the packet with (i) a 2-bit field to indicate whether the packet has been fragmented and (ii) a fragment sequence number that indicates which fragment number corresponds to the packet.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
February 18, 2018
March 16, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.